Month: January 2017

Moving towards a secure digital economy

Samir Saran| Vivan Sharan

Even as incessant political bickering is polarizing opinion on demonetisation, India is making a significant transition to a digital payments ecosystem. This project endeavours to breach the urban-rural divide, geographical exclusions of the real world, and income criteria that privileged only a few with access to certain private and public services. This new digital payments ecosystem is brutal in its attempt to alter the way India transacts, trades and is taxed.

A wider adoption of digital payments will invariably change the dimensions of risks, crime and security as well. If pickpockets were a common menace some decades ago, cybercriminals may dominate conversations in the days ahead as they eye digital and online transactions. While the “pickpocket” had to select a relatively “fat target” to make the effort and risk worthwhile, the cyber thief will have a low-risk environment (lack of forensic capabilities, human capacities and attribution challenges) and an expansive reach of technology that will make even “petty pickings” attractive. And although cybercrime will affect us all, it will harm the poor disproportionately. It could ravage the small savings of many, deprive them of their meagre means and, most importantly, result in erosion of trust in the financial ecosystem currently being built. It is, therefore, important that the government pay heed to small fraud.

Read Also | Demonetisation

An early warning of this was provided by the frisson of panic that followed the cautionary message from the newly launched Bharat Interface for Money application (BHIM app) on 4 January 2017: “Users please beware: Decline all unknown payment requests you may get! We will work on an update, which will allow you to report spam.” This response is inefficient and leaves the ecosystem vulnerable to malicious intent.

Governments around the world and here in India must respond to this new dimension, where “petty cash is big money” and digital pickpockets pose a range of threats to individuals, institutions and economic stability itself. Most governments have left themselves with little time to create the requisite mitigation capabilities. The velocity of digitization and technology adoption must necessitate a response from policymakers different from what was the norm in the “public sector era”, where Centrally controlled banks and enterprises offered a modicum of stability, privacy, and security (with less efficiency). To achieve this, a comprehensive approach for securing the digital ecosystem must be devised and some actions must be taken immediately.

First, there are a multiplicity of stakeholders operating networks and tools that pose varying degrees of risk. This, in turn, demands differentiated security responses. These include the Reserve Bank of India (RBI)-run National Electronic Funds Transfer (Neft) and Real Time Gross Settlement (RTGS), the National Payment Corporation of India’s (NPCI’s) Immediate Payment Service (IMPS) on which the Unified Payments Interface (UPI) currently operates, traditional card networks, mobile payments solutions, various banking apps. In a report released in December 2016, the Union ministry of finance’s committee on digital payments suggested a hierarchical approach based on the level of “systemic risk” posed by different tools and networks. This must form the design basis going forward.

Second, while industry is consulted by expert committees such as the one referenced above, an inclusive multi-stakeholder consultative process must become the norm for policymaking itself, to avoid arbitrariness. This can be done by instituting multi-stakeholder consultations that are transparent and inclusive. This is the model India has agreed is best suited to govern the Internet internationally, and it’s time to adopt consonant processes at home.

Third, while the “mobile” is being hailed as a replacement for physical wallets as well as a proof of identity through its widespread use in second-factor authentication of digital payments, government and users should be circumspect about the risks involved. For instance, there is evidence to suggest that distributed denial-of-service (DDoS) attacks—in which a multitude of compromised systems attack a single target, causing denial of service for users of the targeted system—are increasingly targeting the applications layer rather than the network layer of the Internet. In layman terms this means a sophisticated mode of cybercrime is being unleashed on unsuspecting users of mobile applications and popular software.

Mature hardware-based solutions, such as tamper-proof Universal Integrated Circuit Cards and Embedded Secure Elements, are being tested against the latest forms of cyberattack. Software-based solutions such as Host Card Emulation are also relatively secure but require upgrades through the cloud, placing large data demands on the user and testing the service capabilities of the issuer.

Globally payment solutions that have been able to integrate hardware- and software-based security exist, but domestic mobile payments providers are relying largely on software-based security solutions. And while the Indian government’s Computer Emergency Response Team, RBI and NPCI are undertaking security audits of payment solutions, it is important that users be given standardized information to make informed choices, particularly when the digital adoption drive is at its height.

Lastly, it may be useful for the government to think of the digital payments ecosystem, now anchored by the NPCI, as analogous to the Internet. And much like the Internet, the National Financial Switch (the infrastructure backbone of all Indian ATMs, operated by the NPCI) must acquire robust redundancies offered by private-sector partnerships in order not to be a vulnerable single point of failure—which can potentially be compromised by self-styled “legions” of hackers. The NPCI should be managed through multi-stakeholder groups that can help with standard-setting, and can ensure that the payments ecosystem serves the common citizen, making even a small transaction online.

This commentary was first published in Live Mint.

Rethinking the Future of Asia: Moving Beyond U.S. Dominance

Asia needs to discover a bridge between multipolarity and multilateralism. India could play an important role as a “bridge power.”

By and , December 11, 2016
Original link is here

Asia will shape the 21st century as much as the Atlantic consensus shaped the 20th century, or Europe the 19th. But to get there, Asia has to pursue a new project, one that begins to create a political Asia.

Like the Atlantic order flourished on the basis of the Bretton Woods and UN systems, Asia needs a reordering of the global landscape. We need a new management, a new board of directors and a new security architecture.

Any usable platforms?

At the very least, this emerging Asian system needs to bring three resident actors (China, Japan and India) and two regional stakeholders (the United States and Russia) to the same table. Other sub-regional influencers should be drawn in as well.

Could the East Asia Summit, of which all these countries are members, serve as a possible platform for such an architecture? Not quite. The East Asia Summit cannot really address the concerns of Central and West Asia.

Alternatively, Ii an expanded mandate for the G20 (seven Asian countries, two more if one were to include Turkey and Russia) the answer? Or do we need to think about a greenfield institution?

Three possibilities

Three possibilities — distinct, but not mutually exclusive — emerge. At the commencement of the 21st century, Asia’s politics resembles the fraught, rudderless multipolarity of the beginning of the 20th.

It took 50 years and two world wars for that reckless order to settle into a multilateral equilibrium.

Asia has to do it better, faster and without the external “stimulus” of a “Great War.” As the dowager power, the United States can incubate new institutional arrangements in Asia, playing Greece to emergent Asia’s Rome, to borrow from Harold Macmillan’s description of the post-war relationship between Britain and the U.S.

Option 1: India as the bridge power

Should the United States choose to bequeath the liberal international order to Asian powers, India will be the heir-apparent.

However, India would not play the role of a great power, but simply that of a “bridge power.” Asia is too fractious and politically vibrant to be managed by one entity.

India is in a unique and catalytic position, with its ability to singularly span the geographic and ideological length of the continent.

But for that to become a distinct possibility, two variables will need to be determined:

1. Can the US find it within itself to incubate an order in Asia that may in the future not afford it the pride of place like the trans-Atlantic system?

2. Can India get its act together and utilize the opportunity that it has right before it to become the inheritor of a liberal Asia?

Option 2: An Asian “Concert of Nations

The second possibility for a future Asian order is that it resembles the 19th century Concert of Europe. That would mean opting for an unstable but necessary political coalition of major powers on the continent.

The practical result would be that the “Big Eight” in Asia (China, India Japan, Saudi Arabia, Iran, Australia, Russia and the United States of America) would all be locked in a marriage of convenience (one hopes).

To be sure, aligning their disparate interests for the greater cause of shared governance, in one way or another, is a desirable outcome.

Difficult as it would be to predict the contours of this system, it would likely be focused on preventing shocks to “core” governance functions in Asia.

These include the preservation of the financial system, territorial and political sovereignties and inter-dependent security arrangements.

Given that each major player in this system would likely see this merely as an ad hoc mechanism, there is a potential major downside: Its chances of devolving into a debilitating bilateral or multi-front conflict for superiority would be high — very much like the (European) Concert of Nations eventually that gave way to the First World War.

Option 3: Sidelining the U.S.?

A third possibility could see the emergence of an Asian political architecture that does not involve the United States. This system — or more precisely, a universe of subsystems — would see the regional economic and security alliances take a prominent role in managing their areas of interest.

As a consequence, institutions like ASEAN, the Shanghai Cooperation Organization, the AIIB, the Gulf Cooperation Council and the South Asian Association of Regional Cooperation would become the “hubs” of governance.

The United States, for its part, would remain only distantly engaged with these sub-systems. It would be neither invested in their continuity nor be part of its membership.

Which outcome?

Rather than crystal gazing these three possibilities, our objective is to gauge the political underpinnings behind an emerging Asian architecture. Very simply, the question is: Will it be defined by contestation or cooperation?

Quite a bit will depend on the stance of the United States. Can the U.S. incubate a political order that is largely similar to existing multilateral systems? Or will the cost of creating disruptive institutions keep Asian countries from buying into them?

Beyond the U.S. dimension, can any credible pan-Asian governance institution successfully absorb — or at the very least acknowledge — the cultural, economic and social differences that characterize the continent?

Conclusion

The quest for the Asian century is not about finding the Holy Grail of shared governance, but diagnosing the right means to reach a sustainable and inclusive platform.

Rethinking the Future of Asia: Moving Beyond U.S. Dominance – The Globalist

About Ashok Malik

Ashok Malik is a Distinguished Fellow, and Head of ORF’s Neighbourhood Regional Studies Initiative.

About Samir Saran

Samir Saran is Vice President of the Observer Research Foundation.

Democracy, Diversity, Development: 2016 was dominated by their dark sides, can we channel the Force this year?

Times of India, Blog page, 10 January, 2017

Original link is here

2016 was witness to dramatic political changes. Everything that seemed improbable, even unthinkable somehow found new ways of manifesting itself, and that too repeatedly.

The impregnable walls of the European Union (EU) were breached when its largest security provider, Britain, decided to break free from the European project. A celebrity of a reality TV show was able to capture the imagination of a frustrated American public and walked away with a near impossible victory in presidential elections.

Liberal actors and voices were constantly defeated in many arenas by populist movements. The new energy of right-wing forces in several geographies competed with the new fanaticism among Islamic radicals. The defeat of liberalism defined the mood and events of 2016.

More than any year in the recent past, 2016 signified a metamorphosis of the global order itself. 2017 therefore becomes a very significant year as it brings together two unknowns for all of us to grapple with.

First is the future of global economics and financial systems, which are yet to be adequately restructured following the crises of 2008. Second are the political questions raised by the happenings of the year gone by. Both of these will have to be addressed discretely and jointly, if gains of the post-war order are to be maintained and strengthened.

Three, words must receive significant attention this year as we respond to the economic and political challenges that lie ahead: democracy, diversity and development. All three are today under threat, and all three by themselves are a threat to global stability.

In sheer numbers, more countries have adopted democracy as their principal political system than ever before. But there is also little doubt that there has been petty and political capture of democratic systems within these countries.

Democracy as a social ethic is under threat. It is assuming shades of majoritarianism in some instances – becoming a tool for convenient choices by the majority section of society. Democracy has also become a means for political leaders to absolve themselves from taking hard decisions. The moral fibre of democracy is being undermined by its numerical logic.

It can be argued that democracy is becoming a weapon to weaken pluralism. The ability of multitudes to take part in democratic debates through mass media, social media and other emerging platforms has certainly included new stakeholders. Yet the principles of the ensuing debates are no longer decided by what is right or wrong, but on the basis of right and left; ideologies multiplied by numbers are determining outcomes.

Democracy has also been hijacked as a legitimising tool by undemocratic forces. Be it Islamist parties in Turkey and the Middle East, or fundamentalist groups in Asia, the US and Europe, all of them have used democratic means to fulfil undemocratic objectives. In many societies, the word “democracy” needs to be re-thought, re-imagined, re-served, and made compatible with pluralistic principles.

Diversity is at one level being threatened by majoritarianism – by brute force that seeks to reduce those who are different, and marginalise those who belong to minority communities. On the other hand, diversity itself is now being used as the basis to recruit and create small communities, sub-national identities and radical movements that are fuelled by the difference that defines diversity – with violent consequences.

An extreme fringe of the Muslim community in Europe, the Buddhists in Myanmar, and Shia-Sunni postures in the Middle East: all of these are using this difference to either inflict violence on the ‘other’ or to motivate violence against those seen as irreconcilable enemies.

Technology and diversity together have created a new dynamic. Assimilation of outsiders in new communities has today become improbable as, instead of communicating with their physical neighbours, people remain locked in with those miles away.

This creates a basis of new exclusions, divisions and differences between those who may otherwise be in physical proximity. It makes the evolution of assimilative cultures and societies more difficult. In fact, it threatens to undermine syncretic civilisations that have existed over millennia. Diversity is both under threat, and is a threat in itself.

Development today is being threatened by a reluctance of large and important players to remain invested in liberal trading systems; to commit to the ideals of globalisation; to promote cross-border flows of finance, technology and people; and to achieve a convergence of lifestyles across continents.

Democratic forces, and fissures of diverse interests, vantage points and identities, make convergence on development goals near impossible. Institutionalised greed and the lack of enlightened action, masking itself as capitalist principle, will challenge both the global objective of responding to climate change as well as achieving the Sustainable Development Goals (SDGs).

But development is also a threat. Large actors, with large pools of funds, have begun to steer the processes of development to their own advantage. They seek to make life choices for all: to define healthcare for each citizen on Earth, write trade narratives for each society, define what constitutes the well-being and happiness of this planet, and adjudicate the boundaries to right to life itself. Development finance, aid, loans and know-how, under the garb of development partnerships, are seeking to create a landscape of economic growth, trade and transaction that will benefit a few.

The dark sides of democracy, diversity and development have defined global and local politics lately. Can 2017 be the year when the tide begins to turn and when a new light illuminates the essential and positive ethic associated with each of these three words?

DISCLAIMER : Views expressed above are the author’s own.

 

Time to face up to cyber threats

Samir Saran

Cyber insecurity is now a global risk no different from the warming climate or forced displacement. Is such insecurity a business risk or a “public bad”?

 Cryptocurrency,Cyber Insecurity,Digital Economy,Digital India,Digital Infrastructure,Digital Payments,Global Commons,ICT,Innovation,Internet of Things
Courtesy: Gresham College

Crimes in cyberspace, by one estimate, now cost the global economy $445 billion a year. Cyber insecurity is now a global risk no different from the warming climate or forced displacement. Is such insecurity a business risk or a “public bad”? If the security of digital infrastructure is viewed as a business risk, who should mitigate it? Should states be responsible for the integrity of networks and data within their territories, failing which they will be classified as “risky” to do business in in the digital economy? Were cyber insecurity treated as a “public bad”, governments could justifiably conclude that vulnerabilities in one device or platform affect an entire ecosystem, and create a liability regime that shifts the burden on the private sector.

These issues are important to ponder as the Digital India programme and demonetisation encourage the rapid adoption of digital payments technologies. It is not only difficult to assess the “risk” of transacting in the digital economy, but also determine who such risks should be absorbed by. For instance, a high-end device may be able to offer security on the back of its tightly controlled supply chain, but what if an end user, by opening the door to a hidden exploit, compromised its operating system?

Three crucial trends will decisively influence the future of cyber security — the centralisation of data, the arrival of connected devices, and the rapid adoption of digital payments technologies. Centralised control over data can make access to databases easier and more vulnerable to attacks. The Internet of Things (IoT) ecosystem is set to explode, with more than 24 billion devices expected to be connected to the Internet by 2019. The sheer scale, size and diversity of the IoT environment makes risk difficult to measure.

Read | The great 21st century data rush

Perhaps the most important factor is the scale and speed at which digital payments have been adopted across the spectrum of transactions. Payment gateways work the same for all users irrespective of the volume or commodities/services transacted, but they are accessed on devices that vary greatly in their ability to protect data. How would insurers gauge the risk inherent in such a diversified market? Consider then, these key questions and conundrums.

First, if cyberspace is a global commons, will the socialisation of “bad” follow the “privatisation of profits”?

Unlike the environment, the oceans or outer space, digital spaces are not discovered — they are created. Cyber insecurity has been made out to be a global threat but the fact remains that the economic gains from securing digital spaces still accrue to a few countries and corporations. Do developed markets have a common but differentiated responsibility to secure digital spaces? If it is the responsibility of all, can developing countries also get a share of the economic gains from electronic commerce?

Cyber insecurity has been made out to be a global threat but the fact remains that the economic gains from securing digital spaces still accrue to a few countries and corporations.

Second, cybersecurity is a private service — how can we make it a public good?

Digital spaces are common to all, but the provision of their security is increasingly guaranteed by the private sector. This is in stark contrast to governance models in emerging markets, where the state underwrites law and order. How can the public and private sectors work together to provide this common good?

Third, India is moving towards security by identity, but many advanced economies believe security comes through anonymity. Are we on the wrong side of history?

Encryption is becoming the norm in advanced economies, as a result of which data is increasingly out of the reach of law enforcement agencies. On the other hand, India has moved towards biometric identification programmes that place a premium on identity. The “Aadhaar impulse” is driven by a requirement to target beneficiaries effectively, but without strong data protection regulations, the digital economy would be less than secure.

Read | Framing multistakeholder conversations on encryption

Fourth, if cash-based systems, ATMs and payment gateways are increasingly vulnerable to cyber-attacks, are “distributed ledger technologies” going to make governments adopt cryptocurrencies?

Blockchain and other technologies that “crowdsource” the authentication of online transactions using bitcoins are more difficult to target, because they are by their very nature, distributed ledgers. Will the increasing insecurity of the fintech ecosystem push us towards cryptocurrencies?

Fifth, cyber security is an expensive proposition in advanced economies, where the most sophisticated instruments are also assumed to be the safest. How can India apply its famed “frugal innovation” in this space, and protect the user while providing affordable access to the Internet?

The ICT supply chain in India is only as strong as its weakest link: the end user. If the user is from rural India, with a limited understanding of the devices and transactions she accesses, her device is a point of vulnerability. If the device itself is “low-end”, which places a premium on cost over security, this forms a lethal mix that endangers the security of all users in the ecosystem. India cannot afford a false separation between access and security in digital spaces, as the qualitative nature of access will determine ICT security for a billion people.

Sixth, who determines the risk of transacting on the Internet, and how?

If transactions in cyberspace will invariably carry an element of risk, who will guarantee them? The buyer, seller or intermediary? As in the case of shipping, will we see a form of cyber-insurance applied to cover the risk of malicious attacks online?

Developments in cyber security leads one to surmise that economies will soon be subject to a risk-assessment based on the integrity of their networks. Risk-based assessments offer predictive value and guarantees of stability to businesses, but they should not perpetuate inequities that exist offline.

Limited means to enhance cybersecurity in developing economies should not set back investments in the digital economy, which in turn create a vicious cycle rendering the overall ecosystem insecure. The international community must articulate ways in which such risks can be mitigated, and facilitate access in emerging markets to technology and finance that generate investments in cybersecurity.

This commentary originally appeared in Hindustan Times.